From: Anurag Mandal <anurag.mandal@intel.com>
To: dev@dpdk.org
Cc: bruce.richardson@intel.com, anatoly.burakov@intel.com,
Anurag Mandal <anurag.mandal@intel.com>
Subject: [PATCH v2] net/ice: add MAC anti-spoof option
Date: Sun, 16 Nov 2025 03:57:49 +0000 [thread overview]
Message-ID: <20251116035749.45922-1-anurag.mandal@intel.com> (raw)
In-Reply-To: <20251113105914.34949-1-anurag.mandal@intel.com>
VRRP advertisement packets are dropped as TX-errors upon transmission from
a vsi of ice PF due to MAC anti-spoof check which is enabled by default.
There is no way to disable this check in the Tx direction to avoid
these packets being dropped.
This patch introduces devargs "mac-anti-spoof" to allow user to
disable MAC anti-spoof check. Disable MAC Anti-spoof check
in the Tx direction to avoid getting dropped as TX-errors upon packet
transmission when their source MAC address matches one of the MAC
addresses assigned to that same NIC port.
Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
---
V2: Addressed Bruce Richardson's feedback
- changed devargs name to "mac-anti-spoof"
- changed devargs member name to "mac_anti_spoof"
- changed macro name to "ICE_MAC_ANTI_SPOOF_ARG"
- set the default value of the devargs to 1
- added NOTICE log msg when MAC Anti-spoof is disabled
- added more code comments to provide clarity
- fixed typo error with ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF
doc/guides/nics/ice.rst | 11 +++++++
drivers/net/intel/ice/ice_ethdev.c | 50 +++++++++++++++++++++++++++++-
drivers/net/intel/ice/ice_ethdev.h | 1 +
3 files changed, 61 insertions(+), 1 deletion(-)
diff --git a/doc/guides/nics/ice.rst b/doc/guides/nics/ice.rst
index 6cc27cefa7..f7dae93435 100644
--- a/doc/guides/nics/ice.rst
+++ b/doc/guides/nics/ice.rst
@@ -194,6 +194,17 @@ Runtime Configuration
-a 80:00.0,source-prune=1
+- ``MAC Anti-spoof Disable`` (default ``1``)
+
+ Disable MAC Anti-spoof check in the Tx direction to avoid getting dropped
+ as TX-errors upon packet transmission when their source MAC address
+ matches one of the MAC addresses assigned to that same NIC port.
+
+ MAC Anti-spoof can be disabled by setting the devargs parameter ``mac-anti-spoof``,
+ for example::
+
+ -a 80:00.0,mac-anti-spoof=0
+
- ``Protocol extraction for per queue``
Configure the RX queues to do protocol extraction into mbuf for protocol
diff --git a/drivers/net/intel/ice/ice_ethdev.c b/drivers/net/intel/ice/ice_ethdev.c
index c1d92435d1..885ded3473 100644
--- a/drivers/net/intel/ice/ice_ethdev.c
+++ b/drivers/net/intel/ice/ice_ethdev.c
@@ -42,6 +42,7 @@
#define ICE_DDP_LOAD_SCHED_ARG "ddp_load_sched_topo"
#define ICE_TM_LEVELS_ARG "tm_sched_levels"
#define ICE_SOURCE_PRUNE_ARG "source-prune"
+#define ICE_MAC_ANTI_SPOOF_ARG "mac-anti-spoof"
#define ICE_LINK_STATE_ON_CLOSE "link_state_on_close"
#define ICE_CYCLECOUNTER_MASK 0xffffffffffffffffULL
@@ -60,6 +61,7 @@ static const char * const ice_valid_args[] = {
ICE_DDP_LOAD_SCHED_ARG,
ICE_TM_LEVELS_ARG,
ICE_SOURCE_PRUNE_ARG,
+ ICE_MAC_ANTI_SPOOF_ARG,
ICE_LINK_STATE_ON_CLOSE,
NULL
};
@@ -1761,13 +1763,52 @@ ice_setup_vsi(struct ice_pf *pf, enum ice_vsi_type type)
/* Source Prune */
if (ad->devargs.source_prune != 1) {
/* Disable source prune to support VRRP
- * when source-prune devarg is not set
+ * when source-prune devargs is not set
*/
vsi_ctx.info.sw_flags =
ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
vsi_ctx.info.sw_flags |=
ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
}
+ /* MAC Anti-spoof */
+ /* MAC anti-spoof check is enabled by default */
+ vsi_ctx.info.sec_flags =
+ ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF;
+
+ /* By default, Source Prune is disabled and
+ * MAC Anti-spoof check is enabled.
+ *
+ * Source Prune is disabled by setting local
+ * loopback with ICE_AQ_VSI_SW_FLAG_LOCAL_LB
+ * flag in the Rx direction.
+ * ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to
+ * prevent transmitted packets from being
+ * looped back in some circumstances.
+ *
+ * MAC Anti-spoof check can be disabled by
+ * clearing ICE_AQ_VSI_SW_FLAG_SRC_PRUNE and
+ * ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF
+ * flags and setting Tx loopback with
+ * ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the
+ * Tx direction.
+ */
+ if (ad->devargs.mac_anti_spoof == 0) {
+ /* Disable mac anti-spoof check in the
+ * Tx direction to avoid getting dropped
+ * as TX-errors for VRRP support when
+ * mac-anti-spoof devargs is reset
+ */
+ vsi_ctx.info.sw_flags &=
+ ~ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
+ PMD_INIT_LOG(NOTICE,
+ "Disabling MAC Anti-spoof check "
+ "in Tx direction does not affect "
+ "Source Prune in Rx direction");
+ vsi_ctx.info.sw_flags |=
+ ICE_AQ_VSI_SW_FLAG_ALLOW_LB;
+ vsi_ctx.info.sec_flags &=
+ ~ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF;
+ }
cfg = ICE_AQ_VSI_PROP_SW_VALID;
vsi_ctx.info.valid_sections |= rte_cpu_to_le_16(cfg);
vsi_ctx.info.sw_flags2 = ICE_AQ_VSI_SW_FLAG_LAN_ENA;
@@ -2398,6 +2439,7 @@ static int ice_parse_devargs(struct rte_eth_dev *dev)
return -EINVAL;
}
+ ad->devargs.mac_anti_spoof = 1; /* enabled by default */
ad->devargs.proto_xtr_dflt = PROTO_XTR_NONE;
memset(ad->devargs.proto_xtr, PROTO_XTR_NONE,
sizeof(ad->devargs.proto_xtr));
@@ -2467,6 +2509,11 @@ static int ice_parse_devargs(struct rte_eth_dev *dev)
if (ret)
goto bail;
+ ret = rte_kvargs_process(kvlist, ICE_MAC_ANTI_SPOOF_ARG,
+ &parse_bool, &ad->devargs.mac_anti_spoof);
+ if (ret)
+ goto bail;
+
ret = rte_kvargs_process(kvlist, ICE_LINK_STATE_ON_CLOSE,
&parse_link_state_on_close, &ad->devargs.link_state_on_close);
@@ -7732,6 +7779,7 @@ RTE_PMD_REGISTER_PARAM_STRING(net_ice,
ICE_DDP_LOAD_SCHED_ARG "=<0|1>"
ICE_TM_LEVELS_ARG "=<N>"
ICE_SOURCE_PRUNE_ARG "=<0|1>"
+ ICE_MAC_ANTI_SPOOF_ARG "=<0|1>"
ICE_RX_LOW_LATENCY_ARG "=<0|1>"
ICE_LINK_STATE_ON_CLOSE "=<down|up|initial>");
diff --git a/drivers/net/intel/ice/ice_ethdev.h b/drivers/net/intel/ice/ice_ethdev.h
index 72ed65f13b..5fe4688d57 100644
--- a/drivers/net/intel/ice/ice_ethdev.h
+++ b/drivers/net/intel/ice/ice_ethdev.h
@@ -617,6 +617,7 @@ struct ice_devargs {
uint8_t ddp_load_sched;
uint8_t tm_exposed_levels;
uint8_t source_prune;
+ uint8_t mac_anti_spoof;
int link_state_on_close;
int xtr_field_offs;
uint8_t xtr_flag_offs[PROTO_XTR_MAX];
--
2.34.1
next prev parent reply other threads:[~2025-11-16 3:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-13 10:59 [PATCH] net/ice: add MAC anti-spoof disable option Anurag Mandal
2025-11-13 11:35 ` Bruce Richardson
2025-11-16 3:57 ` Anurag Mandal [this message]
2025-11-16 7:43 ` [PATCH v2] net/ice: add MAC anti-spoof option Morten Brørup
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251116035749.45922-1-anurag.mandal@intel.com \
--to=anurag.mandal@intel.com \
--cc=anatoly.burakov@intel.com \
--cc=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).